Community discussions

MikroTik App
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

L2TP/IPSEC VPN with Windows 10

Fri Aug 03, 2018 10:46 pm

I am having difficulties remotely accessing through VPN.
I have a Mikrotik RB2011iL with RouterOS v6.42.6 and had setup a VPN link which has been used for many months. However, 2 new colleagues need to have access and it is not working (despite working fine for all the other colleagues). And it is not a limitation on the number of connections as it is set to not limit the number of connections and it also fails when nobody else is logged-in.
The error that is logged at the Mikrotik during these attempts is:

jul/26 21:24:44 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:45 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:46 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 660
jul/26 21:24:51 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:52 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:53 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463
jul/26 21:24:56 firewall,info input: in:[1]WAN_F out:(unknown 0), src-mac zz:zz:zz:zz:zz:zz, proto UDP, xxx.xxx.xxx.xx:500->yyy.yy.yy.yy:500, len 463

As the setup is unique at the router, I investigated at the client level. Everything is equal, except the operating system on these 2 new colleagues that have the latest Windows 10 release.
The error that they get at their PC, after the initial “Connecting to yyy.yy.yy.yy” is “The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPSEC tunnel, the security parameters required for IPSEC negotiation might not be configured properly”
At the client side I am using the same configuration on all the 4 PCs:
• Server name or address: yyy.yy.yy.yy
• VPN type: Automatic
• Type of sign-in: Username and password
What must be changed to accept the newer Windows 10 (if that is the problem) and the other PCs?
Thank you
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10

Sat Aug 04, 2018 4:00 pm

Something in Windows' VPN client may have changed intentionally or unintentionally. To see what has changed in particular, you'll need to use logging on Mikrotik, see this similar topics for details.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

Re: L2TP/IPSEC VPN with Windows 10

Sun Aug 05, 2018 4:25 am

Hi Sindy.
Thank you for your reply.
I went through the post that you mentioned and the linked wiki page https://wiki.mikrotik.com/wiki/Manual:IP/IPsec. I tried the L2TP setup and I tried the Mode Conf and the IKE2. But none worked and at this time I am already confused.
I attached the configuration file. It has all the configurations that I did today and none work.
I just need one of them to work with a Windows 10 client. I guess that L2TP is enough, but it was only working on 2 PCs and not on the other 2 PCs.
What is wrong with it?
Thank you.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10

Sun Aug 05, 2018 11:09 am

The post I've linked to in my previous one was a clear instruction how to find out what the new Windows10 client requires and which of its requirements are not compatible with your current settings.

Instead of following that instruction to find out how to slightly modify the current L2TP/IPsec setup, you have tried with another VPN mode (ike2) at Windows side. But the requirements for phase 1 and/or phase 2 authentication, encryption, and other algorithms exist in ike2 case as well, so without finding out which combinations of these algorithms the client supports and proposes, you cannot succeed either.

So without visualizing the failed communication, there is no way ahead.

So I'd keep the configuration on Mikrotik side in its working state, double-check that by connecting one of the "old" PCs which do connect successfully, and then disconnect as much IPsec peers as you can without affecting your workflow (to minimize the amount of unrelated events in the log), start the logging and press [connect] on one of those Windows10 machines which fail to connect. After getting the error message from Windows, you can stop logging and start reading the log. It is not that hard but if you feel lost, just obfuscate the IP addresses and post the log file.

And one general remark - L2TP/IPsec doesn't work for two clients accessing the same server from behind the same public address unless you implement a server-side workaround.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

Re: L2TP/IPSEC VPN with Windows 10

Sun Aug 05, 2018 11:40 pm

Hi Sindy,
Sorry for my confusion. This time I followed the instructions.
I cleaned up the configuration, returning to the starting point (cleaned configuration attached)
I also set:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~"ipsec"
The result is the attached file ipsec-start.txt
as I am not a network /communications expert, I am unable to interpret and find the most appropriate solution.
can you please help me?
Thank you

I forgot to tell that the error that the client displays is:
The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 12:04 am

The log shows that the Windows try first to establish an ike2 IPsec connection (where only one exchange mode is available) and then an ike1 connection (where several exchange modes exist - main, aggressive, base). When Mikrotik receives an initial packet of an IPsec connection, it looks for a peer whose address and exchange-mode parameters match the incoming request. Peers with exchange-mode set to main and main-l2tp cannot be distinguished from each other because these two only differ by handling, not by the identification code in the initial packet.

So please post the output of /ip ipsec peer print as that will show also dynamically added peers. Replace the IP addresses you want to hide by meaningful strings, but hide only what really needs to be hidden, keep 0.0.0.0/0 and alike unchanged.

But if you have really checked that the other Windows machines can connect successfully with this configuration, it means that the failing Windows client indicates use of aggressive, base, or by mistake some non-standardized mode. To confirm that, you would have to change the logging setting to log also the contents of the packets using /system logging set [find topics~"ipsec"] topics=ipsec and repeat the procedure.

So please do both steps above and post the results.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
saburtwo
just joined
Posts: 6
Joined: Sun Aug 05, 2018 11:55 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 12:27 am

Hi
I had similar issues with Windows 10 so I moved over to IKev2 and created certificates no problems any more
Just remember to set PFS group to none otherwise it will drop randomly as I found out

Ta
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 1:12 am

Just noticed that - in the configuration you've posted in your previous post, the l2tp-server configuration does not create a dynamic IPsec peer, and the static one has address=0.0.0.0/32. So either the older Win10 client allows to establish L2TP connection without the IPsec tunnel whereas the new one doesn't, or there must be a mistake in the "restored" configuration because 0.0.0.0/32 doesn't match any address, there should be 0.0.0.0/0 to accept connections from anywhere.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 3:04 am

Hi
You are right. It should be 0.0.0.0/0 and not 0.0.0.0/32. I already fixed it.

Attached you can find the log with the new details.
When we finish debugging, what is the command to restore the normal log without all those details?

This is the output of the command /ip ipsec peer print:
# aug/ 5/2018 20:59: 1 by RouterOS 6.42.6
# software id = 6X1L-00W2
#
Flags: X - disabled, D - dynamic, R - responder
0 R address=0.0.0.0/0 auth-method=pre-shared-key
secret="********************" generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha512 enc-algorithm=aes-256,3des dh-group=modp1024
lifetime=1d dpd-interval=2m dpd-maximum-failures=5

Thank you.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 10:38 am

Check the settings of the new Windows client - in all its proposals in all the attempts, the Windows client only proposes to use certificates for mutual authentication, whereas your configuration is for authentication using a shared secret:
20:42:52 ipsec rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = pre-shared key:RSA signatures

To stop logging of ipsec debug, you'll just disable or remove the /system logging item with topics~ipsec.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 9:09 pm

Hi
When setting the VPN on the client side, I selected "VPN type=Automatic". Probably with the newer Win10 version it behaves differently. So, I changed to "VPN type=L2TP/IPsec with pre-shared key".
Now it also fails but now the error is: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer".
Attached I am sending the log for this attempt.
It seems that we are one step closer but not yet there.
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 7143
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSEC VPN with Windows 10  [SOLVED]

Mon Aug 06, 2018 10:36 pm

Looking at your /ip ipsec peer print, I can see hash-algorithm=sha512 enc-algorithm=aes-256,3des dh-group=modp1024 and I wonder how it could ever work with the older versions of Windows clients as these older versions definitely didn't support sha512 (nor does the new one). So I'm afraid it might be that the older windows clients could fall back to plain L2TP without IPsec (which would be worth testing - when one of the old WIndows client will be the only one connected, try /ip ipsec remote-peers print to see whether that PC's public IP is in the list - if it is not, it is connected using a plain L2TP) while the new version does not permit the fallback.

So the next step is to set peer's hash-algorithm to sha1, enc-algorithm to aes-256 and dh-group to modp2048 which are the strongest phase 1 algorithms proposed by the Windows client, which to my knowledge the older clients support too. This way, both old and new clients should get past phase 1, and the next thing may be to deal with will be the phase 2 proposal.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
ruiesteves
newbie
Topic Author
Posts: 31
Joined: Wed Jan 11, 2017 9:30 pm

Re: L2TP/IPSEC VPN with Windows 10

Mon Aug 06, 2018 11:07 pm

It worked fine with one of the new PCs. I will check with the older ones to see if they still connect
Thank you!
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1154
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: L2TP/IPSEC VPN with Windows 10

Thu Dec 27, 2018 9:16 pm

I'm posting this here for the benefit of others who happen across this topic. My understanding of the most secure settings that will still allow the included Windows 10 (1703 aka Creators Update) IPsec client to connect via IPSec PSK are as follows:

Phase1: (/ip ipsec peer profile)
dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

Phase2: (/ip ipsec proposal)
auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256

Unfortunately, these settings can not be configured in the GUI, you'll need to use Powershell. Below is a working configuration (if you want IPsec shared secret support) for Windows 10 and iOS 12 devices.

Windows 10 PowerShell L2TP/IPsec PSK settings:
#
# Compatible with Windows 10 and iOS 12 clients for connecting to MikroTik
#
# Reading
# https://forum.mikrotik.com/viewtopic.php?&t=137634
# https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration
# https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
# https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
# https://security.stackexchange.com/a/171511
#
# Follow up settings in the Windows GUI: Control Panel \ Network and Internet \ Network Connections

#
# Use ECP-256 (DHGroup19) to wrap an AES128 keys. Use ECP-521 (DHGroup21) to wrap AES256 keys.
#
#
# EncryptionMethod			= Phase 1
# IntegrityCheckMethod		= Hash Algorithm
# DHGroup					= Initial Key Exchange during setup

# CipherTransformConstants 	= Phase 2
# PfsGroup					= Perfect forward Secrecy (when the keys get exchanged again, say after an hour)
#
# AuthenticationTransformConstants = AH (not ESP which we use here)


Add-VpnConnection -Name "VPNName" -ServerAddress PublicIPAddress -TunnelType "L2tp"

Set-VpnConnectionIPsecConfiguration -ConnectionName "VPNName" -EncryptionMethod AES256 -CipherTransformConstants AES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup ECP256 -AuthenticationTransformConstants SHA196 -PassThru -Force

MikroTik L2TP/IPsec PSK server settings
######################################
# Minimal settings for L2TP/IPSec VPN
######################################

/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"

/interface l2tp-server
add name=L2TP user=uservpn

/ppp secret
add name=uservpn password="PasswordUser" service=l2tp

/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required

#Phase1 settings, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

# added automatically when l2tp-server server enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1

#Phase2 Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256

# configure the rest of the router
/interface list
add name=LAN
add name=WAN

/interface list member
add interface=bridge-LAN 	list=LAN
add interface=L2TP1 		list=LAN
add interface=ether1 		list=WAN

/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"

/interface
set bridge-LAN arp=proxy-arp

# optional
/system logging
add topics=ipsec,!packet

 
ronal01
just joined
Posts: 13
Joined: Thu Jan 31, 2019 10:40 pm

Re: L2TP/IPSEC VPN with Windows 10

Thu Jul 02, 2020 8:14 pm

Who is online

Users browsing this forum: Bing [Bot], McSee and 87 guests